Data Protection: The Dirty Secret at the Heart of SaaS

Claire Jarvis at Tectrade, looks at data protection and the cloud – highlighting the issues with Office 365 in particular and where the liability lies with lost data.

When was the last time you thoroughly read your SaaS provider’s T&Cs? Many IT managers will be hard pressed in their roles as it is without poring through pages of turgid legalese. Yet doing so might reveal something many providers would prefer to be kept quiet: back-up and data protection in the cloud is very different beast to that in the on-premise world. In fact, it’s even been the downfall of some companies caught unawares by the crippling support costs and limited liability some providers spring on their clients.

As more and more organisations take advantage of Software as a Service (SaaS) to drive business growth, it’s vital they understand that the buck stops with them when it comes to data protection. And that finding a trusted third party to help manage this cloud-specific challenge is fast-becoming a necessity.

SaaS on the march

Just how popular is SaaS? Driven by major tech vendors like Microsoft, Salesforce and Google, it has become a multi-billion-dollar industry. According to analyst IDC, the global SaaS market reached revenues of $31.4 billion in 2015, and will grow at an impressive CAGR of 20% to reach nearly $38bn this year. To put this in perspective, that’s growth five times faster than the traditional software market.

Why is it so popular? Because it gives organisations three things they’ve been demanding for years: flexibility, scalability and CapEx savings. IT leaders are attracted by the opportunity to slash upfront costs in favour of a more predictable pay-as-you-go model, which improves productivity by allowing users to access apps from any internet-connected screen. It also appeals by ensuring the cloud provider manages resource intensive functions, freeing IT teams up to focus on more strategic tasks.

But here’s the deal: the cloud provider will only offer a limited amount of security functionality – related mainly to protecting its own infrastructure from threats. Some may even offer backup services. But ultimately the customer must ensure that whatever they have in place matches their risk appetite and their audit, compliance and DR needs.

The bottom line is: your data, your responsibility.

When the cloud bites back

So what could go wrong? Well, you may be surprised. Data loss can come from a variety of sources, even if it’s being protected by a multi-billion-dollar technology company, running state-of-the-art datacentres. It could happen accidentally, when data is overwritten by third party software, when or users close their accounts without migrating all the data from it. Or it could come from malicious deletes performed by registered users, or activity from malicious outsiders. Let’s not underestimate the bad guys here – they’re sophisticated, determined and always have the upper hand on your cloud provider: the element of surprise. But the number one risk, according to analyst Aberdeen Group, is user error – that is overwriting or deleting data by accident.

If the worst happens, the first port of call will be your cloud provider. But how many of us read the small print in our SLAs? It might surprise many to know that Office 365 will only keep deleted emails and mailboxes for 30 days. For Google Apps it’s 25 days, and in Salesforce.com’s case only 15 days – with the additional blow that any records sent to the Recycle Bin can only be recovered at a support cost of $10,000 per recovery. It might also surprise many IT decision makers to learn how much liability the major cloud providers are prepared to take on: $5000 or the value of the past 12 months of subscriptions for Office 365, and total subscription costs over the past year for Google. And that’s if you can prove it’s the cloud provider’s fault – which might not be an easy task.

To put that in perspective, when TecTrade is engaged in contract negotiations with a prospective client, we’re talking about maximum liabilities in the millions.

Help is at hand

It’s important therefore for IT managers to understand the risks involved in out-tasking to the cloud. SaaS makes a lot of things easier, but it also takes away a certain amount of control: over where data is stored, and how and where it is backed-up. Remember: SaaS vendors are under no obligation to restore your data.

All of the above can cause significant compliance headaches and introduce unnecessary business risk. The answer is to find a trusted third party to help you wrest control of your data back. Choose a partner which can offer a high degree of customisation according to your pre-defined RTOs, RPOS and VROs. Look for technical solutions which allow native API connectivity into the cloud provider’s environment but in a granular way, so you can protect specific tables/objects in Salesforce or certain files in OneDrive if necessary. Also make sure they encrypt data at rest and in transit, and provide air-gapped back-up options.

SaaS offers a wealth of exciting new possibilities for IT teams. But take a step back first to assess the risks and find a technology partner to help you navigate the data protection minefield. It might just end up saving your company millions in regulatory fines, lost customers and brand damage.